WordPress Missing Authorization Vulnerability Allows Arbitrary Note Creation via REST API

A vulnerability exists in WordPress core versions 6.9 through 6.9.1, allowing authenticated users with Subscriber-level access to create notes on any post. This issue arises because the REST API's 'create_item_permissions_check()' method in the comments controller fails to verify if the user has 'edit_post' permission for the target post when a note is being created. As a result, affected users can add notes to posts authored by others, including private posts and those in any status.

Impact

Exploitation of this vulnerability allows for unauthorized note creation on posts, which could be used to inject misleading or harmful information into the editorial process.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can use the REST API to create a note on any post without the required 'edit_post' permission. This can be done by sending a request to the 'wp/v2/comments' endpoint with the 'type' parameter set to 'note' and the 'post' parameter set to the ID of the target post.

Remediation

Users are advised to update WordPress to version 6.9.2 or a newer patched version.